Congress introduces security breach bills

Members of Congress introduced security breach bills during the first half of the month, and the industry is watching the action closely to see if a federal bill will be passed.

In the Senate, Sen. Patrick Leahy (D-VT), chairman of the Senate Judiciary Committee, and Sen. Arlen Specter (R-PA), ranking member of the same committee, introduced on Feb. 6 a revised version of their Personal Data Privacy Act that was approved by the Senate Judiciary Committee last year but died before a floor vote. A key feature of the legislation, S. 495, includes increasing criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data.

"We've been in favor of a national standard in security breaches for a long time, and we expect a security breach bill to be passed in Congress this session," said Jerry Cerasale, senior vice president of government affairs for the Direct Marketing Association.

A security breach bill was also introduced in the House on Feb. 8 by Reps. Bobby Rush (D-IL) and Cliff Stearns (R-FL). The bill, The Data Accountability and Trust Act (DATA), HR 958, which is currently in the Energy and Commerce committee, says that any business that houses personal information must implement specific security practices, including methods for dealing with disposal of "obsolete" information. The bill would also mandate notification requirements in the event of a breach of personal data.

Mr. Cerasale said that the DMA has worked hard to make sure that marketing data is not covered in either bill.

"We want to make sure that if I buy a 'Save the Children' tie, that you can't steal my identity with that information," Mr. Cerasale said. "Our push is to ensure that marketing data is not included within the scope of notification."

The House bill allows for access and correction, meaning marketers must let consumers access or change data.

"This is something we oppose because we see this as a possible security risk rather than a security enhancement," Mr. Cerasale said. "If consumers can go in and get or change data, crooks may be able to go in and change data as well. [The function] takes away a tool to help marketers nip identity theft in the bud."

Mr. Cerasale, however, said that the DMA is working with Congress on both bills and hopes the right one will be passed.

"It's not like we are miles apart in agreement," he said. "We are dealing with a few issues and we are going to be working hard on this and hope to get it solved soon."